> ## Documentation Index
> Fetch the complete documentation index at: https://docs.webhook.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate an outbound signing secret with zero downtime

> Roll a destination's Standard Webhooks signing secret through a dual-signature grace window so your receiver never rejects a valid event.

Rotate a destination's signing secret without a window where your receiver rejects good traffic. Rotation mints a new secret while the previous one keeps verifying during a bounded overlap — you cut the receiver over inside that window.

<Steps>
  <Step title="Rotate — the new secret is shown once">
    ```sh theme={null}
    wbhk replay-destinations rotate-secret <destination-id>
    # → new signing secret (shown once): whsec...
    #   the previous secret keeps verifying during a brief overlap.
    ```
  </Step>

  <Step title="Add the new secret to your receiver, alongside the old">
    During the overlap, both secrets validate — the delivery carries both signatures, space-delimited. Configure your Standard Webhooks verifier to accept **either** so in-flight deliveries signed with the old key still pass while you deploy.
  </Step>

  <Step title="Cut over, then drop the old secret">
    Once the receiver is deployed and verifying the new secret, remove the old one from your verifier. Confirm nothing is failing verification before you do.

    ```sh theme={null}
    wbhk replay-destinations list-secrets <destination-id>
    wbhk deliveries list --destination <destination-id> --status failed,dead
    ```
  </Step>
</Steps>

<Note>
  The overlap is bounded — treat it as your deploy window, not an indefinite dual-key mode. Rotate
  again if you miss it; the old secret simply stops verifying when the window closes.
</Note>
